OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rune Henssel (bugtraqhenssel.dk)
Date: Sun Feb 10 2002 - 18:32:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Anybody know a RootKit called TuxKit1.0 and another kit that creates the following files:

    -rw-r--r-- 1 root root 241 Jan 29 12:09 /dev/xdta
    -rw-r--r-- 1 root root 146 Feb 10 18:46 /dev/xmx
    drwxr-xr-x 3 root root 4096 Feb 11 00:31 /usr/man/man1/.. /.dir
    -rwxr-xr-x 1 root root 7165 Sep 16 2000 /usr/man/man1/.. /.dir/snif
    -rwx------ 1 root root 63 Sep 16 2000 /usr/man/man1/.. /.dir/klog
    -rwx--x--x 1 root root 8268 Oct 16 1999 /usr/man/man1/.. /.dir/crush
    -rwxr-xr-x 1 root root 4060 Mar 5 1999 /usr/man/man1/.. /.dir/create
    -rwxr-xr-x 1 root root 22173 Dec 9 2000 /usr/man/man1/.. /.dir/s
    -rwxr-xr-x 1 root root 37711 Dec 9 2000 /usr/man/man1/.. /.dir/w
    -rw-r--r-- 1 root root 15853742 Feb 11 00:35 /usr/man/man1/.. /.dir/log
    drwxr-xr-x 5 root root 4096 Jun 20 2001 /usr/man/man1/.. /.dir/sc
    drwxr-xr-x 2 mnk 501 4096 Mar 17 2001 /usr/man/man1/.. /.dir/sc/bindscan
    -rwxr-xr-x 1 root root 17971 Mar 11 2001 /usr/man/man1/.. /.dir/sc/bindscan/bind
    -rwxr-xr-x 1 root root 15781 Mar 11 2001 /usr/man/man1/.. /.dir/sc/bindscan/scan
    -rwxr-xr-x 1 mnk 501 299 Mar 1 2001 /usr/man/man1/.. /.dir/sc/bindscan/try
    -rw-r--r-- 1 mnk 501 4780 Mar 4 2001 /usr/man/man1/.. /.dir/sc/bindscan/scan.c
    -rw-r--r-- 1 mnk 501 111 Mar 4 2001 /usr/man/man1/.. /.dir/sc/bindscan/xlist
    -rwxr-xr-x 1 mnk 501 382 Mar 1 2001 /usr/man/man1/.. /.dir/sc/bindscan/r00t
    -rw-r--r-- 1 mnk 501 7692 Mar 1 2001 /usr/man/man1/.. /.dir/sc/bindscan/bind.c
    drwxr-xr-x 2 root root 4096 Jun 20 2001 /usr/man/man1/.. /.dir/sc/sc
    -rwxr-xr-x 1 root root 13067 Dec 1 2000 /usr/man/man1/.. /.dir/sc/sc/ben
    -rwxr-xr-x 1 rasmusm 1000 1441 Aug 10 2000 /usr/man/man1/.. /.dir/sc/sc/ben.c
    -rw------- 1 root root 65536 Nov 30 2000 /usr/man/man1/.. /.dir/sc/sc/core
    -rwxr-xr-x 1 root root 112 Aug 10 2000 /usr/man/man1/.. /.dir/sc/sc/osscan
    -rwxr-xr-x 1 rasmusm 1000 4444 Aug 10 2000 /usr/man/man1/.. /.dir/sc/sc/pscan.c
    -rwxr-xr-x 1 root root 15715 Nov 30 2000 /usr/man/man1/.. /.dir/sc/sc/scan
    -rwxr-xr-x 1 root root 15121 Nov 21 2000 /usr/man/man1/.. /.dir/sc/sc/wus
    drwxr-xr-x 2 root root 4096 Jun 20 2001 /usr/man/man1/.. /.dir/sc/lameru
    -rwxr-xr-x 1 root root 1586 Jan 29 2001 /usr/man/man1/.. /.dir/sc/lameru/lamer
    -rwxr-xr-x 1 root root 11632 Mar 4 2001 /usr/man/man1/.. /.dir/sc/lameru/statdx
    -rwxr-xr-x 1 root root 6468 Mar 4 2001 /usr/man/man1/.. /.dir/sc/lameru/scan-a

    We have have 2 servers, one have been infected by TuxKit1.0 and the other one by this unknown kit.

    Any help would be greatly appriciated.

    Rune Henssel
    System Administrator

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com